The Many Cyber Exclusions in D&O Policies

Despite all of the large scale hacks and cyber related headlines, cyber security litigation itself remains in its infancy. Case law is sparse, and policy language is slowly beginning to adapt itself to modern risk. In the interim, the c-suite is being confronted with constantly increasing regulatory requirements and new cyber exposures that threaten to test their abilities to remain in compliance – from breach notification laws, to social media related regulation FD violations and more. It goes without saying that the cyber risk environment has changed everything. Most companies are aware of the importance of separate cyber insurance, however some companies still operate under an assumption that coverage will be afforded under the professional liability or directors & officers insurance policies. Truth is, these policies fit together like carefully cut puzzle pieces, and there is no single product or one size fits all solution that will provide the depth of coverage that companies require – particularly public companies. In exploring directors and officers insurance policies, it is difficult to determine precisely how well current policies are structured to respond to cyber events and/or cyber related litigation, but there are certainly a number of challenges to overcome. Definitions and insuring clauses aside, a quick review of the exclusions alone reveals a number of potential exit points for carriers to rely on post claim.

For the purpose of this article, it is important to prelude with an intro to “lead in” language. As most attorneys are already aware, insurers often use broad language when applying exclusionary clauses. Such language will often preclude coverage for claims “for, based upon, arising from, in consequence of, or related to” the specific exclusion being carved out. The intent is to exclude coverage for uninsurable risks such as business/contractual risks and those that should be insured elsewhere (such as under a more appropriate E&O policy). The broad nature of this “arising from/related to” language however, allows the carrier greater flexibility in declining a much wider range of potential claims. In contrast to this broad lead in language, some carriers contain more preferred, narrower wording that simply precludes coverage explicitly “for” these claims (as opposed to for, based upon, related to, etc). This “narrower” lead in language can often be difficult to obtain – and will often depend largely on the specific exclusion itself. For example, it may be easier to obtain when addressing the contractual exclusion and more difficult when addressing the “professional services” exclusion. However, for purposes of negotiating and comparing coverage, buyers (and their advisors) should be aware of the advantages this language offers. Naturally, policies lacking any of the below exclusions entirely should be favored over policies that do contain such exclusions. The same holds true for policies that contain narrower lead in language.

Explicit Cyber exclusions: While specific cyber exclusions have not become industry standard language yet, a greater number of carriers are incorporating carve-outs at a slowly growing rate, precluding coverage for some form of “privacy incidents.” Just what constitutes a privacy incident can vary greatly and should be reviewed carefully. At this stage, insureds should be able to exercise avoidance, navigating around this exclusion. Absent the ability to do so however, buyers should ensure that the exclusion contains a carve-back for any resulting securities claims. Due to the fact that cyber related securities claims are looming, and almost all cyber policies contain a securities exclusion in one form or another, this is an area in which public companies in particular should pay great attention.

Terrorism: While fairly uncommon, some D&O policies (and cyber policies alike) contain broad terrorism exclusions. Professional liability experts fear these exclusions have the potential to significantly reduce/eliminate coverage for cyber intrusions. The standard client (and broker for that matter) probably wouldn’t consider a data breach an act of terrorism. Which is why, when buyers and brokers are reviewing policy language, it is deceivingly easy to overlook its implications, which could prove a costly mistake. For example, insurance carriers could likely make a fair argument that a targeted ransomware attack, which is intended to hold data “hostage” while demanding a ransom payment, is a form of terrorism. The same holds true for a DOS attacks whose sole intention is to interrupt business, create panic and cause financial loss. While cyber losses caused by employees and self-propagating code are less likely to be construed as acts of terror, these exclusions are often worded very broadly and their interpretations can be unpredictable. Accordingly, brokers and attorneys should pay careful attention to such language and avoid this exclusion entirely when able. Absent the ability to avoid this exclusion, narrowing the lead in language would be the natural next step. Lastly, buyers should attempt to negotiate additional language with the carrier to affirmatively carve back coverage for cyber incidents and any resulting securities claims.

Contractual: Due to its far reaching implications, the contractual exclusion consistently attracts considerable critique. It is understandable that no insurer intends to provide indemnification for contractual obligations or resulting disputes that might arise. However, due to the fact that contracts are such an integral part of doing business, any usage of overly broad lead in language when applying this exclusion has the potential to preclude coverage for a wide range of claims. In order to meet vendor qualification and third party compliance requirements, many companies are required to make representations confirming that they maintain internal cyber security controls that meet/exceed a minimum standard. When cyber intrusions financially impact those 3rd parties, clients/vendors may assert that the damages sustained resulted (at least in part) from misrepresentations within those contracts – particularly when specific security standards were not maintained. Additionally, the data/confidential information affected during a breach may also be related to (or protected under) a contract. For example, an insurance agency acquiring social security numbers or information regarding an upcoming M&A is obtaining that information in relation to a contract. Law firms regularly handle/store corporate confidential information such as IP or non-public financial information that is explicitly protected under non-disclosure clauses contained within contracts. These cases all highlight the importance of narrowing the lead in language or removing the exclusion altogether. Any reference to “oral contracts” should also be removed. Lastly, buyers and their brokers can also attempt to negotiate language that carves back claims arising from data breaches.

BI/PD (invasion of privacy): Most D&O policies contain broad exclusions for claims arising from bodily injury or property damages. These exclusions almost always include “emotional distress” and, more importantly, “invasion of privacy” and/or “privacy incidents”. Due to the fact that almost all breaches may be considered an invasion of privacy in one form or another, and due to the fact that breaches can inflict considerable emotional distress, such language also has the ability to preclude coverage during cyber events. While it is often difficult to bypass the BI/PD exclusion entirely, the focus should be on restricting the language as much as possible by negotiating; 1) narrow lead in language, and 2) the removal of any overly broad terms such as “emotional distress” and/or “invasion of privacy”. For industries such as manufacturing and healthcare that have real bodily injury exposures resulting from a data breach, these exclusions deserve an even more thorough critique. The fact that cyber policies maintain their own BI/PD exclusions makes proper coordination even more challenging.

IP Exclusions: Intellectual property is a broad term, encompassing patents, trade secrets, source code and more. Many businesses’ financial success depends on their IP. That inherent value also makes it a target for cyber criminals as demonstrated by the recent breach against ThyssenKrupp which targeted technical trade secrets. When reviewing the IP exclusion, it is important to understand whether the exclusion is worded in a manner that might apply to the organizations’ own IP, or whether the exclusion is specifically worded to preclude claims for “infringement or misappropriation” of other’s IP? Law firms, accounting firms, and cloud providers are often in possession of client side IP, which if exposed, could result in litigation. The definition of Intellectual property should also be considered. Policies that include overly broadened terms such as “any other intellectual property” should be viewed as unacceptable. Due to the tremendous value and tendency of hackers to target source code, insureds should favor policies that do not include “source code” within their IP exclusion. Further complicating matters – many cyber policies have their own IP exclusions. Insureds should attempt to avoid this exclusion entirely when possible. Absent that ability, buyers should negotiate a carve back for securities related suits resulting from loss of their own IP and/or losses resulting from data breaches/intrusions.

Insured Vs Insured: Between employee benefits (and associated PHI) and payroll and tax return information, HR departments process and store a significant amount of employees’ personal information. For purposes of committing tax return fraud and identity theft schemes, hackers have recently begun to target this information as demonstrated by the Seagate phishing attack earlier this year which exposed all of their employees’ W2’s. Many companies also provide employee stock option plans which may suffer a drop following a large scale security event. Private company D&O forms often broaden the definition of insured to include advisory boards and employees. This broadened definition may seem advantageous, however, it can also trigger the “insured vs insured” exclusion. For this reason, and others, buyers should carefully address the “insured vs insured” exclusion carving back coverage for claims resulting from cyber breaches. Many modern policies will agree to substitute this exclusion with a more modern “entity vs insured” exclusion which will often solve the underlying issue. Another atypical solution would be to voluntarily exclude “employees” from the definition of insured.

Other insurance: Some policies include a “failure to maintain insurance” exclusion. While this is not a specific cyber exclusion per say, it can act much in the same way, precluding coverage for claims related to the failure to acquire or maintain adequate insurance. The term “adequate insurance” alone can be difficult to define, especially when it comes to cyber insurance. Is placement of any cyber policy enough to bypass this exclusion or must it be inclusive of certain terms or coverages such as social engineering fraud? While companies with any degree of cyber exposure should be performing their due diligence and placing separate cyber coverage, some companies continue to opt out of such insurance. Considering the tremendous potential for financial damage following data breach, and the ability for such an event to trigger claims from investors/shareholders in response, it is particularly important for those companies to ensure that their D&O policy does not contain such an exclusion. Luckily, this particular clause is fairly antiquated and easy to bypass on modern policies.

Exclusions: While the above list provides a broad guide to general policy exclusions, much of the language requiring review will depend on the insured’s operations and risk profile. For example, companies providing tech services may be particularly affected by their policy’s “professional services” exclusion, whereas companies engaged in the manufacturing of tech hardware may discover their policy contains a “product defect” exclusion which could severely limit or negate coverage for cyber liability.

*Evan Bundschuh is vice president and commercial lines head at GB&A, an independent insurance brokerage located in New York focused on insurance programs and risk management solutions for tech companies, financial and professional services, manufacturers and product-based businesses. As an RPLU with 15 years of industry experience, he assists clients with insurance program coordination and client-side advising on directors & officers (D&O), professional liability (E&O) and cyber insurance and is a contributor on the topics of risk and insurance. You can contact Evan @ evan.bundschuh@gbainsurance.com or learn more about GB&A here.